Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have a small branch office that currently has a Pix 506E.  I am going to replace this Pix with a pair of ASA5505s configured in Active/Standby.  The ASA will do NAT/PAT, 5 site-to-site VPN's, a remote access VPN, as well as inbound and outbound ACL's.  There are 20 users at this location.

Reading the Active/Failover documentation from Cisco, I see the ASA5505 does not support Stateful Failover, but all other ASA models do.  Can someone explain what "stateful failover" means. My thinking is that all connections are dropped when failover occurs, and that the users will have to reconnect to their hosted applications.  Am I correct?  Thanks.
0
I am trying to default a cisco vpn connection but its not working.   I am following the procedure from the Cisco website.

Setting a Default Connection Entry

If you have a default connection entry (also known as default profile) configured, the VPN Client opens the default connection entry when you launch it. To make one of your connection entries the default connection entry, use the following procedure:
 
--------------------------------------------------------------------------------

Step 1 Select a connection entry in the list underneath the Connection Entries tab.
 
Step 2 Display the Connection Entries menu or right-click the connection entry name and choose Set as Default Connection Entry.
 
The default connection entry appears as bold in the list of connection entries.

ideas how i can change this?
0
I have a new customer who has a pix 506E.  They have 6 site-to-site VPN's configured on this pix.   I have a Cisco ASA5510.  I am creating a site-to-site VPN from my ASA to their Pix tomorrow.  I also need VPN access to the other 6 locations that the PIX has site to site VPN's to as well.   Will I need to create 6 more site-to-site VPN's on my ASA to have access to those from my network?  Would I be able to somehow get to those other six networks just from the single VPN I will be creating tomorrow?  Thanks.
0
How to implement site-to-site IPsec tunnel Between Cisco 1841 router and Linux Box CentOS 5.5  Using Openswan
0
Hey - you know when people refer to stuff like federal info processing standards are they on about disk level encryption? Or data in transit?
For example are there FIPS compliant protocols? Or is it just FIPS compliant encryption software for data at rest?
For example if someone sells your FIPS compliant encryption - what are they selling you? A disc encryption, or someone sort of encrypted certifacate?
Excuse my ingorance (please bare that in mind in your responses).
0
Hi Folks,
 I would really value some advice regarding a Cisco ACL policy design. I am a Voice engineer and I have setup an Asterisk High Availability cluster and I have a Cisco 1841 controlling the LAN/WAN access to this cluster.

I have quite a few clients who will be using this cluster for hosted telephony and they all have fixed IP addresses that I can add to the cisco ACL and allow full access to their SIP/IAX phones for registration.

Here is the problem:

Some of my clients have home connections and their routers have dynamic IP's so I can't open the IP for access to them as their IP may change. I also have clients that have SIP clients on their mobile phones and we have a similar problem with these.

I can't run a mac-address filter on the router as it is a layer 3 device and the only option that I could see is maybe an ipSEC or PTPP.

Does anyone have any sugestions?

0
Hello, I have a Cisco 2800 IOS 12.4 router setup as the head end of a point to multi-point VPN network with one each Cisco 871 IOS 12.4 routers at two separate remote locations. Each location has Comcast Internet. The routers are all configured and have access to the Internet at each location. The problem is I cannot ping or access the LAN between the routers. All the interfaces including Tunnels are up so I think it may be NAT here are the configs

CISCO 2800 IOS 12.4 ROUTER HEAD END
Current configuration : 5833 bytes
!
! Last configuration change at 07:08:07 MST Sun Oct 9 2011 by Admin
! NVRAM config last updated at 07:08:09 MST Sun Oct 9 2011 by Admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO2800HEADEND
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$IDj5$v4MYtN1vnZeULbDa8ZRvn1
!
aaa new-model
!
!
aaa authentication login default local-case
!
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.151 192.168.3.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 75.75.75.75 8.8.8.8
   domain-name ourdomain.local
!
!
no ip bootp server
no ip domain lookup
ip name-server 75.75.75.75
ip name-server 8.8.8.8

Open in new window

0
Hi
I am looking for the matrial of some security courses where can I found them..free or payable does not matter..
I am looking for CEH, CISA, CISSP CCNA as an example.
0
Hello,

I installed freeradius2 with mysql module on centos. and everything works well. i mean i create user on mysql database and test it with "radtest" and received request-accept message.

Now, I wanna connect to server with PPTP, L2TP and OpenVPN connection and when to trying it i receive error and connection not established.

anyone know how I should do it?
0
Is it possible to have one user on the Cisco VPN client tunnel all internet requests though the tunnel instead of there local network?
0
Hi ,Any ideas for these messages on 1811 ?trying to create site to site tunnel between RV042 and cisco 1811.

1811 Log SHOWS :

%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 1.2.3.4 was not encrypted and it should've been.
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 1.2.3.4 failed its sanity check or is malformed
0
I have got cisco 3750 and ASA and getting the "error message received encrypted packet with no matching sa dropping"
After googling i have come across usually you get the error message when there is an ACL mismatch however i am sure ACLs are same please see the config below and advise:


ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 21.21.21.1 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.6.200 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list policy-nat extended permit ip 10.10.6.0 255.255.255.0 192.168.3.0 255.255.255.0 log
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 192.168.2.0  access-list policy-nat
route outside 0.0.0.0 0.0.0.0 21.21.21.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00…
0
I have succesfully set up RADIUS authentication for Cisco VPN users to authenticate against the Windows Server 2003 AD with IAS.  Configured on Cisco ASA 5510 but will also firld to 5505 and Cisco PIX 501.

Is there a way to automatically populate the DOMAIN field on the Cisco login prompt which consist of a Cisco dialogue box with fields for USERNAME, PASSWORD, and DOMAIN.
0
Since the Cisco VPN Client is reaching end of life, I'm looking for another solution.  Right now I have thousands of users who use the Cisco VPN Client to connect to their hosted applications.  I would like to go with Cisco AnyConnect, but I'm a little unsure about the licensing.  I see there is AnyConnect Premium and AnyConnect Essentials.  AnyConnect Premium is way out of my budget, but AnyConnect Essentials seems affordable.  I'm looking for someone who has used AnyConnect Essentials.  I have read the documentation, but I'm still unsure how AnyConnect Essentials works.  Do I get to it via a webpage, or do I need to install the client on all machines.  How many AnyConnect Licenses can go on a ASA5510?  I have read Cisco's documentation on AnyConnect, but not using it before I want to be sure that AnyConnect Essentials will do everything that the Cisco VPN Clients does.  Thanks.
0
Dear ,

i do config VPN  remote access in my ASA   now all user outside can connect to VPN when they write in Host remote access (80.80.80.80) but I want from inside i have some users want have  VPN remote client when I put in host software vpn remote client(80.80.80.80)  they can't connect VPN  , so tell me what is solution we I to to let internal  can access to remote VPN client
note
1- I can't put static ip to user inside
2- if need i'll send config ASA

Drawing1.jpg
0
Hi Guys,

I am trying to configure a Fortigate 50GB to pass through VPN requests to a Microsoft 2003 RASS server. Any idea on the best way to do this? I am having no luck.
0
Hello to all Cisco experts

I have few questions regarding VPN tunnels between Cisco 881 and ASA 5510

I am supposed to built few of them with 881 at the branches ends and 5510 at my central location.

The questions I have are mostly in regards with 881 at the branch ends. I got these routers directly from Cisco for a project pilot we are running with them for one of our important customer.  Beside the console port the following ports are available on the back panel

A FastEthernet switch  with 4 ports  (FE0 to FE3)
One FEWAN  port marked as FEWAN  (FE04 in configuration file)
A virtual LAN VLAN1 which of course does not have a physical port, so my assumption is that the switch ports   FE0 to FE3 are part of this VLAN1

All I need is to create VPN tunnels  between these routers and my ASA 5510.  

Here are my question:

1. It appears that an IP  can be assigned to interfaces VLAN1 and FE04 only. I think the VLAN1 is for internal IP an FastEthernet4 for external IP.  What is the approach here?

       a. Put the DSL modem in bridge mode and assign the external  IP to FEWAN  FE04 and Interal IP to the VLAN1 interface (this IP will act as gateway for internal subnet)
       b.  Put the DSL in bridge mode and configure 881 to act as PPPoE client ?

2. Is there a good document how to set this up ?

Thank you for taking the time to read and (hopefully) reply to my question

Cheers

0
Hi Guys,

Trying to get L2TP (certifcates) to work between my VPN clients and ISA2004 server.

Have the following:

My own CA server on Domain X
My ISA server is stand-alone (not part of the domain)
Windows XP / 7 clients

Have installed a CA certifcate in the Trusted Root of ISA.  (This works fines as I use it for SSL traffic for OWA client -> ISA -> Exchange)

Using the CA web page http://local_ip/certsvr I have install a user certifcate on my client machine.

I have setup ISA to accept L2TP and use certifcate authentication.
I have setup the client to use L2TP and selected the certificate to use for authentication

Get error : the connection requires a certificate and no certifcate was found.  - Have checked the certifcate is there.

When using the L2TP and the pre-shared key - all works well.  So I know its a certificate issue.

Anyone came across this before.

Any help... much appreciated.

IM
0
Using strongswan 4.3.5 as gateway
server 2008 as client & certificate authority

issued cert with the requirements as outlined here to client: http://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq

Server 2008 still reports error in eventvwr:
IKE authentication credentials are unacceptable failure is 13801.


0
I currently have OpenVPN installed on Ubuntu which works great. I have an upcoming project, where I have to provide remote access to thousands of users. I am considering OpenVPN for this, because it's worked great for me in the past. What concerns me is can I load balance let's say three OpenVPN servers to share the load? I having been searching online, but I haven't really found to much information regarding this. I found one article, but it didn't really seem like it was true load balancing. When I say true load balancing, I mean I want all three OPenVPN servers to share the load. I don't what one server handling 500 connections and the other two servers only having 10 or 20 connections. Any assistance would be greatly appreciated. Thanks.
0
Hi!
I got 3 different WAN locations that need to speak to each other. Now they are connected through one IPSEC VPN and one IP-VPN (delivered by the ISP).   Location A and B, and B and C can talk to each other, but how can I route traffic so that also location A can communicate with location C?
I tried to add different routes on the location A firewall. But no matter what I do I can’t get the traffic through the IPSEC tunnel and forward to location C.
How can I solve this?
   VPN
0
I am adding a new location to an existing Cisco site to site VPN.  

We cannot get the new sites VPN tunnel up.

Can someone help?  I've attached the configs.  The main site already has another VPN connected to it. and its working fine.  I've verified the IP addresses in the config are correct.  There is Internet Access on the new site.  Just no VPN tunnel.
0
Hello Techs,

i'm new in the cisco ASA stuff, but i 'm trying to setup a anyconnect with an ASA 5510. the problem  is that i can't get out to the internet or access any server.
first at all ,i can connect to the vpn with user created in the ASA and i got an ip from the ASA (10.10.25.0/24)  which is good too, my problem is that the default gateway showing for the vpn is 10.0.0.1 (i'm not sure why) , and when i tried to ping my servers which are in the subnet 10.10.12.0 getting time out.
i'm not sure if something is missging in my config , please advice.
thanks,

asa01# show run
: Saved
:
ASA Version 8.4(2)
!
hostname asa01
domain-name mycompany.com
enable password 7xElFFjIAHUx9Pr encrypted
passwd 2KFQnDDD.dI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif OutSide
 security-level 0
 ip address 6X.XXX.XX.140 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.12.253 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 10.10.20.253 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
banner motd           ** WARNING **
banner motd Unauthorized access prohibited. all access is
banner motd monitored, and trespassers shall be prosecuted
banner motd to the fullest extent of the law. 
ftp mode passive
dns server-group DefaultDNS
 domain-name mycompany.com
object network 

Open in new window

0
I wanted to test my wifi security, but I don't know how.  My friend just went to a "computer show" and purchased some software that is supposed to "crack" any wifi and we had a conversation over the phone and he wants to prove that this software will crack my wifi.  My question really is how can I make sure he does not crack my password/passphrase?  According to him, the software can crack WEP, WPA, and my WPA2 encryption.  

Lastly, how would I be able to test my own network.  What I wanted to do was since I have three pc's/laptop's within my wifi, how could I connect to another pc/laptop or view other files within my separate pc's/laptops without knowing their ip address?
0
We currently have two Cisco 1800s Routers. Setup on each is a site-to-site vpn

This works fine but about twice a week the connection starts dropping every other packet, the only way to resolve the issue is by a reboot of ROUTER B in the remote location or just wait for the connection to sort its self out. Which can be anywhere from 15mins to a few hours.

Below is a Running config of each router. ROUTER A being the local and ROUTER B being the remote.

Thanks


ROUTER A

Building configuration...

Current configuration : 27366 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Hixon_Acc
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$I3m7$6GZtaBYC3hpdcIPjCQ36I.
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
 server 10.0.0.251 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 passwd-expiry group sdm-vpn-server-group-1
aaa authentication login sdm_vpn_xauth_ml_4 group radius
aaa authorization exec default local 
aaa authorization 

Open in new window

0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.